The year started with reports of the cyberattack on the Ukrainian power grid confirming the security community's worst fears about the vulnerability of critical infrastructure. This was followed by the Israeli Ministry of Power reporting a malware campaign against its network. The spectre of critical infrastructure attacks is increasingly rising, and CISOs protecting these targeted organizations are under increased pressure to identify emerging risks and prepare appropriate response.

"It's not an overstatement to say we are not in a state of responding to the increasing sophistication of cyber threats of the 21st century and innovative mechanisms of attackers," says Sahay of the Karnataka Police. "It's essential to go beyond ISO standards and benchmarks to tackle growing threats."

"While an attempt is being made to secure India's critical infrastructure, there are huge gaps in understanding the components of critical infrastructure, execution of strategies," maintains Murthy of Digital India. "There's a lack of architectural framework and no common enforcement policy."

Infrastructure Protection: Where Does India Stand?

Security leaders say India is in an infancy stage of assessing the national inventory of critical infrastructures, identifying key resources and coming up with a concrete plan to protect them against the rapid growth in dangerous malware invading our systems.

"While there's the huge challenge of identifying the components of critical infrastructure, given the spread of these across public and private sectors, the bigger task is to define the roles and responsibilities of industries and organizations in taking the onus of protecting these infrastructure," says Target's Mehta.

Some argue that security practitioners of most organizations are unaware of the mechanism hackers use in gaining a foothold and taking control of the commands to penetrate into the network - a big concern that no amount of advisories or alerts can help.

The cyberattack on the Ukrainian power grid stands testimony to the challenge of how vulnerable any critical infrastructure could get - a typical kill chain using phishing malware, they say.

Given that over 90 percent of the critical infrastructure is owned and managed by the private sector, HCL's Sarangi says these are under threat from various dimensions.

"The threats are originating from neighbouring states who are using three simple applications from Google to steal information - a hacking community stealing identities for the heck of it, insider threats and external individual threats which are becoming a menace, and the human element enhancing threat opportunities, resulting in poor defences due to the lack of an information sharing mechanism," Sarangi says.

While little has been done to secure critical infrastructure, mainly because of lack of skills, proper communication and awareness, critics say that this is also why boards do not take ownership of the critical infrastructure protection, nor hold security teams accountable for any untoward incident.

Sahay argues that most security breaches are a result of human intent or error, which accounts for approximately 80 percent. "These include misconfigured systems or applications, vulnerable code, end-user error, targeted attack exploited or undetermined factors," says Sahay.

According to Murthy, the challenge is that Indian organizations don't have prescribed policies or procedures or standards to provide clear direction for protecting infrastructure, unlike in other countries that have addressed the issue. "So, security practitioners are constrained in identifying risks associated with critical infrastructure," he argues.

Where to Start?

The Indian government has set up National Critical Information Infrastructure Protection Centre to assess risks associated with India's critical infrastructure. Experts say the process of taking stock of national inventory must be expedited.

To start with, Sahay recommends:

Build a risk-aware culture;

Automate security hygiene and manage incidents with intelligence;

Protect the network and end-points.

Mehta says moving beyond traditional controls is vital. "Collaboration become very critical in investing on R&D, information sharing and defining the security and risk framework in responding to emerging threats."

Harsha Sastry sees the need to approach the issue with a business continuity and disaster recovery perspective to protect the nation's assets and build resilience. Sastry recommends four key imperatives:

Asset inventory: Know the assets on the network on a real-time basis;

Business impact analysis: Annual is a mandate, but he advises quarterly, monthly and daily analysis;

Continuity and crisis management plan: is critical, as convergence is key. Write what you do, and do what you write;

Disciplined exercising and testing: Test for extended periods and in worst case scenarios.

"Having a robust business continuity plan and focusing on end-point, data leakage solutions are important, but educating users on the best and right practices, besides thrust on actionable threat intelligence is critical," he says.

"Reporting the incidents to the concerned authority can help in seeking experts' help in responding to threats," Sarangi says.

About the Author

Nandikotkur is an award-winning journalist with over 20 years' experience in newspapers, audio-visual media, magazines and research. She has an understanding of technology and business journalism, and has moderated several roundtables and conferences, in addition to leading mentoring programs for the IT community. Prior to joining ISMG, Nandikotkur worked for 9.9 Media as a Group Editor for CIO & Leader, IT Next and CSO Forum.

Operation Success!

Risk Management Framework: Learn from NIST

From heightened risks to increased regulations, senior leaders at all levels are pressured to
improve their organizations' risk management capabilities. But no one is showing them how -
until now.

Learn the fundamentals of developing a risk management program from the man who wrote the book
on the topic: Ron Ross, computer scientist for the National Institute of Standards and
Technology. In an exclusive presentation, Ross, lead author of NIST Special Publication 800-37
- the bible of risk assessment and management - will share his unique insights on how to:

Understand the current cyber threats to all public and private sector organizations;

Develop a multi-tiered risk management approach built upon governance, processes and
information systems;